[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] isolating multiple server requests

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] isolating multiple server requests
From: coderman <coderman@xxxxxxxxx>
Date: Wed, 27 May 2015 11:20:44 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 27 May 2015 14:20:58 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Pcngq/HuXMnR8eGQYfbr5qda2h/eXxzjMUU3hb0nIdc=; b=J+8U3TI0cM7sQzgqoY3GtoD1qnf6SMWdbidyoZe8HcHLIutqaPwCG5pmCcDIAl8WZn 1+HQ56hCDP92IY1/Vf24AQP+FBKaVf2tPXL0nE1qX3q5UuVmZqkqaT9tKZbdftr3YVFp I7VysMVv2VofwyMOwDjCOMyll7SZ4NX6gAzMJ53Ba0pxSwKzqa/IXNkTMZ3GrRvFFXym CYAVxRDvEpUGyEh8ykwH50TFV7dtryFkfhZhUomQu5TcNM3L9/57Y5z97wmOcnDuc1p6 W8db7Fz9oKVX7V4Ti8P9zF76TF77XqehAAqt4D5tsyfn+TfLOvJcXCROvS/Kb4XHPku/ X7sg==
In-reply-to: <02a901d0987b$a01eb230$e05c1690$@gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <02a901d0987b$a01eb230$e05c1690$@gmail.com>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On 5/27/15, Allen <allenpmd@xxxxxxxxx> wrote:
> I have a client application that Tor to communicate with several servers.
> For privacy reasons, it is important that after each request, the client
> starts with a "fresh slate" so the server is not able to tell that the next
> request is coming from the same client.

ok, this is "stream isolation" and supported, as you discuss.

> 1. The client can make a new connection to the Tor proxy with a new unique
> username, see
> https://gitweb.torproject.org/torspec.git/tree/socks-extensions.txt.  My
> concern here is that over time, the Tor proxy will build up a long list of
> prior usernames that are never going to be used again.

you can expire out oldest, but i don't think you'll find this a
problem in practice.

> 2. The client can send Tor proxy a NEWNYM signal on its control port.

right; this is a big hammer - more than just isolation, although it
can be used to enforce isolation forward.

>  My concerns here are that:
> a. The spec implies Tor proxy might ignore that signal, see
> https://gitweb.torproject.org/torspec.git/tree/control-spec.txt

you can use stem to manually control / cull circuits and streams, too.
a back-up plan, perhaps.

> b. It is not clear to me how to be certain when the request has completed
> and it is safe to attempt a new connection.

right - you'd need to look at actual circuits via control port to know
for certain in all circumstances.

> c. That would reset circuits to all servers, including some circuits that
> might be in use.  While I don't think that would result in an error, it
> would slow down those requests and make Tor do unnecessary work to
> reestablish circuits.

right; also trade-off's involved.

> 3. The client can somehow talk directly to the Tor controller to establish
> new circuits.  My concern here is the complexity and potential to make a
> programming mistake that leads to information disclosure.

some Tor control port consumers restrict to only a few necessary
commands - thus eliminating the truly ugly and trivial attacks against
your anonymity using the control port against you.

stem is a nice python interface to do what you want. it is adding
complexity, but implemented thoughtfully the benefit would outweigh
risk.

> What is the best approach in this situation?

see also options:
IsolateClientAddr, IsolateSOCKSAuth, IsolateClientProtocol,
IsolateDestPort, IsolateDestAddr, etc.

note that potentially only on by default are: IsolateClientAddr,
IsolateSOCKSAuth

there is also a trac,
 #16004: Support Isolation by SCM_CREDENTIALS / SCM_CREDS for AF_UNIX
endpoints - https://bugs.torproject.org/16004 which may be relevant to
you.

best regards,
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] isolating multiple server requests
  - From: Allen

References:
- [tor-talk] isolating multiple server requests
  - From: Allen

Prev by Author: Re: [tor-talk] Hidden Service Scaling Summer of Privacy Project
Next by Author: [tor-talk] someone doesn't like my IP
Previous by thread: [tor-talk] isolating multiple server requests
Next by thread: Re: [tor-talk] isolating multiple server requests
Index(es):
- Author
- Thread